-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Research how document level security works with array values #506
Comments
Currently doing research and reading ElasticSearch documentation. On an initial research and superficial analysis, I suspect this requirement could be satisfied using a DSL Script query, with something like: {
"bool": {
"filter": {
"script": {
"script": """
return 'test_group' in doc['agent.groups'].value;
"""
}
}
}
} |
Found and tested two different methods to apply a document-level security that satisfies the requirement, one approach is using TLQs, and the other with Script query. In this POC I've used the following index {
"settings": {
"index": {
"number_of_shards": 1,
"number_of_replicas": 1
}
},
"mappings": {
"properties": {
"title": {
"type": "text"
},
"content": {
"type": "text"
},
"groups": {
"type": "keyword"
}
}
}
} With this docs {"title":"test_1","content":"This will have all groups","groups":["groupA","groupB","groupC"]}
{"title":"test_2","content":"This will have only group C","groups":["groupC"]}
{"title":"test_3","content":"This will have groups B and C ","groups":["groupB","groupC"]}
{"title":"test_4","content":"This will have groupA and groupC","groups":["groupA","groupC"]}
{"title":"test_5","content":"This will have groupB","groups":["groupB"]}
Document-level security role with Term-level lookup queryThis query method search for documents that contains a specific term, in this case the term is DLS Role {
"cluster_permissions": [
"*"
],
"index_permissions": [{
"index_patterns": [
"content*"
],
"dls": "{\"terms_set\": {\"groups\": {\"terms\": [\"groupB\"], \"minimum_should_match_script\": {\"source\": \"1\"}}}}",
"allowed_actions": [
"read"
]
}]
} Response of a user with that role applied ...
"hits": [
{"_index": "content","_id": "CoAj-JIBxjld0LZtKnDu","_score": 2.0,"_source": {"title": "test_1","content": "This will have all groups","groups": ["groupA","groupB","groupC"]}},
{"_index": "content","_id": "DIAj-JIBxjld0LZtKnDv","_score": 2.0,"_source": {"title": "test_3","content": "This will haver groups B and C ","groups": ["groupB","groupC" ] } },
{"_index": "content","_id": "DoB1-JIBxjld0LZtdHC0","_score": 2.0,"_source": {"title": "test_5","content": "This will have groupB","groups": ["groupB"]}}
]
... Full evidence
Document-level security role with Script QueryIn this case we filter the documents by checking the field "groups" contains a value "groupA". DLS Role {
"cluster_permissions": [
"*"
],
"index_permissions": [{
"index_patterns": [
"content*"
],
"dls": "{\"bool\": {\"filter\": [{\"script\": {\"script\": \"return doc[\\\"groups\\\"].contains(\\\"groupA\\\");\"}}]}}",
"allowed_actions": [
"read"
]
}]
} Response of a user with that role applied ...
"hits": [
{"_index": "content","_id": "CoAj-JIBxjld0LZtKnDu","_score": 2.0,"_source": {"title": "test_1","content": "This will have all groups","groups": ["groupA", "groupB", "groupC"]}},
{"_index": "content","_id": "DYBy-JIBxjld0LZtrXAG","_score": 2.0,"_source": {"title": "test_4","content": "This will have groupA and groupC","groups": ["groupA", "groupC"]}}
]
... Full evidence
|
Exclusive filtering methodUsing the script query, we can filter the results by excluding matches that belong to other groups apart from the one we want to filter. The rule looks like this: {
"cluster_permissions": [
"*"
],
"index_permissions": [{
"index_patterns": [
"content*"
],
"dls": "{\"bool\": {\"filter\": [{\"script\": {\"script\": \"return doc[\\\"groups\\\"]==[\\\"groupA\\\"];\"}}]}}",
"allowed_actions": [
"read"
]
}]
} Search returns: curl -XGET https://localhost:9200/content/_search -u testing:TestPassword00! --insecure
{"took":3,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":2.0,"hits":[{"_index":"content","_id":"usiSBpMB_D-360vHBCBO","_score":2.0,"_source":{"title":"test_1","content":"This will have only groupA","groups":["groupA"]}}]}} |
What if groups is an array of objects, inside other object, like:
|
Description
All our indices include the field
agent.groups
to implement RBAC using document-level security. The main goal is to filter documents by roles, so only users with the appropriate role that grant permissions to see certain groups of agents are effectively allowed to.The
agent.groups
field is an array of string, containing the groups' IDs the agent belong to. We are not sure about how document-level security behaves on array values. We need to explore this functionality to ensure our requirements for RBAC are met.For example, a role that grants permissions to the user to see document that belong to the agent group "group2" should be able to see documents whose
agent.groups
value contain that group ID, for example,agent.groups: [group1, group2, group7]
.The text was updated successfully, but these errors were encountered: